GitOpsCon North America 2021

GitOps is a pattern for managing the state of Kubernetes clusters using git as the source of truth. The entire state of the cluster is declared in manifests stored in git repositories and any changes to the manifests follow well-known git processes. Once the manifests are version controlled in git, then there's a number of state reconcilers (Flux, ArgoCD and the like) that can automatically apply changes from the repository. However, this leaves a significant gap in the process: How do we build and get the manifests *into the git repositories* in the first place? This talk will walk through Chick-fil-A's experiences with GitOps to manage the state of our production clusters at scale and offer what we see as opportunities to improve the frontend of the process.

Kubernetes is hard to operate in a multi-tenant manner. As organizations add API's and privileged controllers to their clusters, it becomes infeasible to build clusters that teams can share with each other safely. This is a design issue with the way projects extend Kubernetes.  While policy engines like Gatekeeper and Kyverno enable cluster owners to patch over insecure API surfaces to protect tenants, there are patterns that produce API's resistant to cross-tenant issues. It's possible to extend Kubernetes without relying on admission-based policy engines to restrict API boundaries and controller implementations.  This session will teach you how to enable multiple organizations and teams to work safely together across namespaces and clusters. Flux will be used as an example on how to use RBAC, impersonation and kubeConfig secrets, but the techniques shown can be used to improve projects across the ecosystem!